This sounds like something I dealt with "System Security 2009"... Take a look at Trojan.Poison.J.
Part of the problem is that I believe it adds a BHO, that will automatically bounce you to a "This web page is hazardous message, any time you go to the Antivirus (or Microsoft's) web site. Darn effective, and annoying.
If you are quick, you can see Windows Update load, and then it loads a different page as the BHO bounces you.
Original source here: http://blog.plaitsolutions.com/2009/09/25/update-to-previous-post-on-emails-that-are-bogus.aspx?ref=rss
So, here's what you do if this vile piece of malware is inhabiting your PC (read this through carefully before starting the work):
Removing System Security 2009 manually******:
1. Boot into Safe Mode.
2. Browse to and remove the following files:
C:\Documents and Settings\All Users\Application Data\00308937*\pc00308937ins*
C:\Documents and Settings\All Users\Application Data\00308937*\00308937.exe*
C:\Documents and Settings\All Users\Application Data\00308937*\config.udb
C:\Documents and Settings\{your username directory}**\Desktop\System Security 2009.lnk
C:\Documents and Settings\{your username directory}**\Start Menu\Programs\System Security\System Security 2009 Support.lnk
C:\Documents and Settings\{your username directory}**\Start Menu\Programs\System Security\System Security 2009.lnk
* - The number in this command (00308937) may not be the actual number you see in the directory. If so, replace that number with the one in the directory.
** - replace "{your username directory)" with the name of the user's folder under Documents and Settings. For example, my username is "Sid", so the path to the System Security 2009.lnk file would be:
C:\Documents and Settings\Sid\Desktop\System Security 2009.lnk
3. Delete the following registry entries:
HKEY_LOCAL_MACHINE\Software\00308937*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run “00308937″*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009
* - The number in these registry entries (00308937) may not be the actual number you see in the directory. If so, replace that number with the one in the directory (the same one you used in the previous step).
****** - Manual removal of System Security 2009 is a dangerous task if you aren't familiar with the registry. If you remove the wrong keys, you could cause your computer to stop working. While it has worked in every case for me so far, the malware may reappear. I suggest you either use an automated tool or call a professional to remove it.
From the wikipedia link: "An in-memory patch is also applied to the system resolver DLL to block lookups of hostnames related to antivirus software vendors and the Windows Update service." This looks like the droid I'm looking for. Will investigate this avenue. Thanks for the tip. – spender – 2009-09-28T14:18:51.567
It looks like this was the right one. Running Sophos conficker kit has turned up an infection. Going to do a scan from a BartPE bootdisc to flush out any other stuff, but imagine that I will probably end up reformatting. Bah. Cheers. – spender – 2009-09-28T16:38:52.370